Firewalls and Internet Security - Repelling the Wily Hacker
Author: William R. Cheswick and Steven M. BellovinPublisher: Addison-WesleyISBN: 0-201-63357-4Reviewed by Danny Yee
Cheswick and Bellovin have written the first book that deals specifically with the security of whole networks rather than of individual hosts. Based on their experience administering the Internet firewall at AT&T, as well as on existing papers and reports, Firewalls and Internet Security tells you how to connect a network to the Internet without exposing all your computers to nefarious attacks. It begins with an introduction to security issues and a review of TCP/IP protocols from the point of view of security, but the reader is assumed to have a good understanding of the TCP/IP, an understanding of basic security concepts and some knowledge of Unix.
The core of the book is a detailed look at how to set up and run a firewall. This begins by covering the mechanics of setting up a packet filter, application and circuit gateways, the uses and abuses of tunneling and the general limitations of firewalls. A long chapter then goes into some detail in describing the application level gateway setup at AT&T. Also contains a brief discussion of user authentication and a description of useful tools such as connection libraries, network monitors and logging programs. (They recommend doing a lot of logging.) Also discussed are counter-intelligence measures, decoys and lures, and how to use standard hacking tools to test your security yourself. The stress throughout is on keeping things simple, in traditional Unix style.
Cheswick and Bellovin then look at how things actually work in practice. Here they present a general typology of network attacks, an account of their encounter with the infamous 'Berferd' hacker in 1991, and some statistics on penetration attempts from their logs. I'm a bit unsure about some of the conclusions they draw from the latter (see below), but it's good to see some statistics being published.
To round things off there are chapters on legal issues (if you watch a hacker instead of kicking him off at once, are you responsible for any damage he does while using your system to connect elsewhere?) and cryptography. The appendix contains a list of free resources - software packages and information sources - available to those trying to maintain secure networks, a port by port analysis of TCP and UDP protocol weaknesses and some suggestions for vendors and manufacturers of networking hardware and software.
This is great stuff, and I have only one quibble. I feel Cheswick and Bellovin are a little too paranoid in places, not in their evaluation of possible threats or in the precautions they suggest, but in their evaluation of the intensity of hacking activity. So attempts to rlogin in to their gateway as root, while they may be “evil”, are almost certainly due to bored university undergraduates - I should think it's the last thing a competent hacker would try. (Of course competent hackers probably have more sense than to attack a hardened target like AT&T at all, let alone head on.) Attempts to log in as guest, demo or visitor are surely signs of cluelessness, and hardly deserve to be labelled “attacks” or “evil”. And a graph which is supposed to show that hackers are less active on weekends, to me suggests instead that most of their “penetration” attempts are from company employees or university students who don't even have net access on weekends. Using the term “hacker” instead of “cracker” for those up to no good is one thing; debasing the term to include everyone capable of typing “rlogin research.att.com -l root” is another. It's a far cry from that to being able to mount sequence number attacks on TCP connections.
Firewalls and Internet Security has no rival; while much of the information it provides is available elsewhere, no comparable summary exists. Anyone in charge of installing or administering an Internet firewall would be insane not to get a copy. And while some of it is irrelevant to smaller sites, much will be useful to anyone concerned with TCP/IP network security. That said, it should be pointed out again that this is not an introductory book on security; not only does it assume a solid knowledge of internet protocols, but it doesn't deal with anything except external network threats. Of course anyone with pretensions to being an Internet hacker will also want to read this book (if only to find out why they shouldn't try to crack AT&T :-) and it can be read just for enjoyment. As well as being extremely informative, Firewalls is also extremely entertaining, with the authors managing to inject some lightheartedness into their subject while still respecting its seriousness. I finished my copy within a day of receiving it.
Declaration of interest: I requested and received a review copy of Firewalls and Internet Security from Addison-Wesley, but have no stake, financial or otherwise, in its success.
Firewalls and Internet Security - Repelling the Wily Hacker, by William R. Cheswick and Steven M. Bellovin. ISBN 0-201-63357-4
Danny Yee email@example.com
This review and other reviews by Danny Yee are available by anonymous ftp from ftp.cs.su.oz.au in danny/book-reviews.
Comments on my reviews are always welcome. Criticism of any kind is particularly appreciated - anything from pointing out spelling mistakes to disagreement with the basic assumptions of the review.
|Dynamic DNS—an Object Lesson in Problem Solving||May 21, 2013|
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
- Dynamic DNS—an Object Lesson in Problem Solving
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Using Salt Stack and Vagrant for Drupal Development
- New Products
- A Topic for Discussion - Open Source Feature-Richness?
- Drupal Is a Framework: Why Everyone Needs to Understand This
- Validate an E-Mail Address with PHP, the Right Way
- RSS Feeds
- Readers' Choice Awards
- Tech Tip: Really Simple HTTP Server with Python
- BASH script to log IPs on public web server
2 hours 24 min ago
6 hours 17 sec ago
- Reply to comment | Linux Journal
6 hours 32 min ago
- All the articles you talked
8 hours 56 min ago
- All the articles you talked
8 hours 59 min ago
- All the articles you talked
9 hours 43 sec ago
13 hours 25 min ago
- Keeping track of IP address
15 hours 16 min ago
- Roll your own dynamic dns
20 hours 29 min ago
- Please correct the URL for Salt Stack's web site
23 hours 41 min ago
Enter to Win an Adafruit Pi Cobbler Breakout Kit for Raspberry Pi
It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.
Fill out the fields below to enter to win this week's prize-- a Pi Cobbler Breakout Kit for Raspberry Pi.
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- 5-21-13, Prototyping Pi Plate Kit: Philip Kirby
- Next winner announced on 5-27-13!
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?